RSA security researchers have found the so-called ChewBacca Trojan on equipment that processes credit card payments. The malware searches the working memory for certain patterns and is provided with keylogging functionality.
The memory scanner of the ChewBacca trojan makes a copy of the working memory and uses regular expressions to search for data that appears to come from the magnetic stripe of a credit card. If a credit card number is found, it is sent to a central server and stored.
The data captured by ChewBacca is sent via the Tor network. As a result, cyber criminals attempt to disguise the IP address of the command and control server. The server was only reachable via a .onion address. The ChewBacca malware disguises itself as spoolsv.exe, the file for the Windows Print Spooler, according to the RSA. Deleting this file would have sanitized a system.
The server backend of the ChewBacca malware gives a criminal a simple web interface to the stolen data and the botnet, RSA further reports. An administrator of the botnet is said to have been traced to a country in Eastern Europe by the security company until it disappeared into the anonymity of the Tor network. The FBI, after receiving information from RSA, was able to disable a server belonging to the cybercriminals.
RSA states that despite its simple structure and functionality, the ChewBacca trojan has proven to be very successful in stealing credit card data from numerous companies in 11 countries in recent months. According to Reuters, more than 49,000 credit card details were copied. More than 24 million transaction data would also have been viewed. The security company advises companies to provide their payment systems with better encryption and to install better monitoring software.